b'Office of the Inspector General\nSkip to content\nSocial Security Online\nOffice of the Inspector General\nwww.socialsecurity.gov\nHome\xc2\xa0\xc2\xa0|\xc2\xa0\xc2\xa0Questions?\xc2\xa0\xc2\xa0|\xc2\xa0\xc2\xa0Contact\nUs\nSearch\nLearn About\nUs\nMeet\nOIG Senior Staff\nReport\nFraud\nApply\nfor a Job\nVisit\nour Library\nFAQs\nContact\nUs\nFugitive\nFelon Program\nLinks\nof Interest\nSite\nMap\nEspa\xc3\xb1ol\nOIG Home\nAudit\nReport - A-13-96-52001\nOffice\nof Audit\nThe Social Security Administration\xc2\x92s\nProgram for Monitoring the Quality of Telephone Service Provided\nto the Public A-13-96-52001 - 7/31/97\nTABLE OF CONTENTS\nEXECUTIVE SUMMARY\nINTRODUCTION\nRESULTS OF REVIEW\nAUTHORITY\nTO MONITOR TELEPHONE CONVERSATIONS\nSSA COMPLIANCE\nWITH LAWS AND REGULATIONS\n\xc2\x95 Consensual\nMonitoring Under FIRMR\n\xc2\x95 Continuous\nPositive Action to Inform the Public of Monitoring\n\xc2\x95 Minimum Sampling\nRequirement\n\xc2\x95 Statistically\nValid Sample\n\xc2\x95 Recording\nInformation of the Calling Public\n\xc2\x95 SSA\xc2\x92s\nAuthority to Monitor Calls Since the Rescission of FIRMR\n\xc2\x95 Action Needed by SSA\n\xc2\x95 Agreement\nto Comply with State Laws\nINTERNAL\nCONTROLS TO ENSURE COMPLIANCE WITH LAWS, REGULATIONS, AND SSA\xc2\x92s\nMOU\n\xc2\x95 No\nRecord or Audit Trail of Monitored Calls\n\xc2\x95 Access\nControls to Monitoring Software Are Minimal\n\xc2\x95 Software\nConfiguration Allows Improper Monitoring\n\xc2\x95 SSA\nReviews to Assess Compliance with Laws, FIRMR, and MOUs\nSUMMARY AND CONCLUSIONS\nAPPENDICES\nAppendix B - Major Contributors\nRESULTS\nOF REVIEW\nAUTHORITY\nTO MONITOR TELEPHONE CONVERSATIONS\nOur review addresses conditions that existed while FIRMR applied,\ndiscusses the effect of its rescission on SSA\xc2\x92s current authority\nto monitor calls, and recommends actions that SSA should take in\nthe absence of regulations.\nThe Omnibus Crime Control and Safe Streets Act of 1968, as amended,\n18 U.S.C. sections 2510-2522, prohibit the intentional interception\nof telephone communication by means of any electronic, mechanical,\nor other device. However, there are two exceptions to this general\nprohibition: (1) consent exception; and (2)\xc2\xa0business telephone\nexception.\nConsent Exception - Under this exception,\nit is permissible to intercept and record telephone conversations\nif one or both of the parties to the communication has given prior\nconsent to the interception.\nBusiness Telephone Exception - This exception\npermits telephone monitoring in a business setting if: (1) the\ntelephone or telephone equipment has been provided by the telephone\ncompany or by the subscriber for connection to the subscriber\xc2\x92s\ntelephone service; and (2) the telephone or telephone equipment\nmust be used in the ordinary course of business. This provision\ngenerally permits employers to monitor business related calls of\ntheir employees without their consent.\nFIRMR section 201-21.603 provided additional restrictions to limit\nthe circumstances under which Federal agencies were authorized to\nlisten to or record telephone conversations. FIRMR required:\nConsensual Listening In - Agencies may only listen\nto or record calls when at least one party to a telephone conversation\nknows it is happening or has given prior consent.\nPublic Service Monitoring - Agencies may only listen\nto or record calls when performed by an agency official to determine\nthe quality of service, but only after an analysis of alternatives\nand a written determination by the agency head or a designee that\ntelephone conversation monitoring is required to perform the agency\nmission.\nFIRMR also required that each agency that conducted listening in\nor recording associated with public service monitoring establish\ncontrols and issue written policies and procedures that provided\nfor:\nthe agency head or designee to name in writing those agency officials\nauthorized to listen in to telephone conversations;\ncontinuous positive action to inform the public of monitoring;\nno recording of identifying information of the public callers;\nkeeping the number of monitored calls to the minimum necessary\nto obtain a statistically valid sample;\nconspicuous labeling of telephone instruments subject to monitoring;\nno use of the information obtained by monitoring against the\npublic party; and\ncalling party consent for calls that are recorded.\nAlthough FIRMR has been rescinded, we believe it recognized the\nneed to limit the circumstances for which monitoring is permitted\nand provided Federal agencies essential guidelines to ensure it is\nnot abused. While SSA is no longer legally obligated to comply with\nFIRMR, SSA officials informed us that it will continue to follow\nit. We agree with that decision and believe that FIRMR provides a "best\nbusiness practice" necessary for the protection of privacy rights,\nwhile at the same time allowing SSA to determine whether the public\nis receiving world-class service.\nSSA COMPLIANCE\nWITH LAWS AND REGULATIONS\nConsensual Monitoring\nUnder FIRMR\nSection 201-21.603 (b) of FIRMR stated that it applied only to consensual\nlistening in of telephone conversations. This required that at least\none party to a telephone conversation knew it was happening or had\ngiven prior consent. FIRMR also required SSA to establish controls\nand written policies and procedures covering seven areas, three of\nwhich pertain to obtaining consent. SSA was required to: (1)\xc2\xa0take\ncontinuous positive action to inform the public of monitoring; (2)\nplace conspicuous labeling of telephone instruments subject to monitoring;\nand (3) obtain calling party consent for calls that are recorded.\nIn analyzing the FIRMR provisions for consensual listening in of\ntelephone conversations, we reviewed case law interpreting the consent\nrequirements for telephone monitoring under 18 U.S.C. sections 2510-2520.\nBased on our analysis of the case law, the determination of whether\nsomeone has consented to the monitoring of their telephone conversations\nis dependent on a number of factors. Consent may take one of two\nforms, express or implied. Express consent is not difficult to establish\nbecause one of the parties expressly agrees to the monitoring. Implied\nconsent, on the other hand, cannot be casually inferred and is more\ndifficult to establish. The circumstances giving rise to implied\nconsent ordinarily include language or acts which tend to prove or\ndisprove that a party knows of, or assents to, encroachments on the\nroutine expectation that conversations are private. In addition,\nknowledge of the capability of monitoring alone cannot be considered\nimplied consent. Lastly, implied consent is not necessarily an all\nor nothing proposition. It can be of a limited nature, such as a\nconsent to monitor business, but not personal calls.\nBased on our review of SSA\xc2\x92s monitoring program, SSA may be\nsubject to legal challenges with respect to whether it has the necessary\nemployees\xc2\x92 or public\xc2\x92s consent. SSA does not obtain the\nexpress consent to monitor telephone calls from either the employees\nor the calling public. Consequently, the required consent must be\nimplied. Although there are several factors to suggest that consent\ncan be implied, there are additional factors to suggest that SSA\nmay not have the required consent to monitor calls.\nEmployee Consent--With respect to SSA employees, the\ncircumstances that support implied consent are:\nSSA usually requires that employees be notified when monitoring\nwill take place;\nSSA labels telephones that are subject to monitoring;\nSSA employees continue to use telephones that are subject to\nmonitoring; and\nSSA and AFGE have negotiated procedures for telephone monitoring.\nHowever, there are circumstances that may not support a finding\nof implied consent. They include:\nthe monitoring of calls without notifying the employee;\nthe SSA/AFGE MOU which expressly states that an employee\xc2\x92s\nutilization of a telephone subject to service observation (monitoring)\nwill not be construed as consent to being service observed.\nPublic Consent--With respect to public consent, the\nonly notification to the public about monitoring is a brief statement\nin SSA\xc2\x92s public information pamphlets that some telephone calls\nmay be monitored by a second SSA representative. Currently, an outside\ncaller to the SSA 800 number is given no notification of the possibility\nof monitoring. We would agree that such notification might suffice\nfor any person who has actually read the SSA publications; however,\nthere is no legal requirement to read SSA publications. Consequently,\nwe do not believe that notification in SSA publications is evidence\nof implied consent to telephone monitoring by every person who contacts\nSSA.\nIn summary, SSA may have litigation risks in its telephone monitoring\npractices. The implied consent from the public is questionable because\nit is based on a presumed voluntary reading of SSA publications.\nIn addition, the implied consent obtained from SSA employees is questionable\nin light of SSA\xc2\x92s monitoring practices which allow monitoring\nwithout notice and SSA\xc2\x92s MOUs which acknowledge that employees\xc2\x92 utilization\nof telephones should not be construed as implying employee consent.\nRecommendation:\nWe recommend that SSA:\n1. Take corrective actions to ensure that it meets the legal requirements\nfor consent. This could include actions such as:\nModifying the SSA/AFGE MOUs with respect to the provision\non employees\xc2\x92 consent for monitoring telephone conversations.\nIncluding a message on the 800 number to request the consent\nof the public to have their calls monitored.\nSSA Comment\nSSA believes the Office of the Inspector General\xc2\x92s (OIG) interpretation\nof the statement concerning employees\xc2\x92 consent is inconsistent\nwith the purpose of the MOUs, which deal with the impact and implementation\nof management\xc2\x92s decision to conduct service observations (monitoring).\nSSA also remarked that it has begun the process of promulgating regulations\nwhich will address concerns regarding the parties\xc2\x92 consent of\nservice observation.\nOIG Response\nThe Commissioner\xc2\x92s authorization for monitoring telephone calls\nat SSA states that it is for the conduct of consensual public service\nmonitoring. In addition, it also states that the authorization may\nbe used only after SSA has fulfilled its duty to bargain with the\nAFGE. The applicable MOUs specify the agreements between SSA and\nthe AFGE with respect to telephone monitoring. A general provision\nof the MOUs is that employees do not consent to being monitored.\nConsequently, we continue to believe that any implied consent from\nSSA employees is questionable. We believe this concern is best remedied\nby either modifying the MOUs or by including a message on the 800\nnumber to request the consent of the public to have their calls monitored.\nContinuous\nPositive Action to Inform the Public of Monitoring\nFIRMR requires SSA to take continuous positive action to inform\nthe public of monitoring. FIRMR is silent as to what type of notice\nis required. SSA believes that it satisfies this requirement by its\nnotification to the public through its public information pamphlets.\nCertainly, SSA publications provide some notification to the public.\nHowever, we disagree that this requirement of FIRMR is being met\nby notification through SSA pamphlets. In addition, officials at\nGSA stated that they believe SSA should have a pre-recorded message\non SSA\xc2\x92s 800 number to inform the public of monitoring since\nmany callers may never receive SSA\xc2\x92s public information pamphlets.\nRecommendation:\nWe recommend that SSA:\n2. Provide a message on the 800 number to satisfy the FIRMR requirement\nof continuous positive action to inform the public of SSA\xc2\x92s\nmonitoring practice.\nSSA Comment\nSSA commented that since FIRMR has been repealed, there is no current\nrequirement for continuous positive action to inform the public of\nmonitoring. However, it is reconsidering whether it will provide\nthe recommended notice to the public.\nOIG Response\nWe believe FIRMR recognized the actual and perceived effect of monitoring\ntelephone calls on the privacy rights of individuals. The requirement\nfor continuous positive notice to inform the public of monitoring\naddressed those concerns. Although SSA is not legally obligated to\nfollow FIRMR, we believe the public has the right to know that their\ncalls are being monitored. A message on the 800 number provides the\nbest assurance that the public is aware that their calls may be monitored.\nMinimum Sampling Requirement\nFIRMR requires that SSA keep the number of monitored calls to the\nminimum necessary to obtain a statistically valid sample. During\nour review, we learned that SSA monitors calls in excess of the minimum\nnumber necessary to obtain a statistically valid sample. SSA guidelines\nfor monitoring telephone conversations allow for unlimited monitoring\nof TSRs\xc2\x92 calls for training purposes and for conduct problems.\nAs part of TSRs\xc2\x92 training, a unit supervisor will monitor up\nto 100 percent of trainees\xc2\x92 calls in their first year on the\nphone. They also have new TSRs listen to numerous calls of experienced\nTSRs to learn how to best respond to calls. While we understand that\nmonitoring additional calls for trainees may be desirable, it is\nnot permitted by FIRMR. Unlimited monitoring of trainees exceeds\nthe minimum sampling requirements and is targeted at specific employees.\nWe believe SSA should address new TSRs\xc2\x92 proficiency in their\ntraining program and that new TSRs should be fully trained before\nanswering calls from the public.\nSSA will also monitor calls in excess of the minimum necessary when\nit believes there is a conduct problem with a particular TSR, e.g.,\nrudeness to the calling public. In these situations, supervisors\nwill monitor additional calls to evaluate the TSR\xc2\x92s courtesy.\nThis practice also is not permitted by FIRMR. The regulations do\nnot specify any circumstances for additional monitoring of calls\nwhen conduct is a problem. We believe SSA can address problems with\nrude behavior on the phone without monitoring numerous conversations.\nThe rude behavior can be easily noticed and addressed by a supervisor\nwalking through the unit and observing TSRs while on the phone.\nBack to top\nRecommendations:\nWe recommend that SSA:\n3. Monitor the minimum number of calls necessary to obtain a statistically\nvalid sample.\n4. Address training needs and conduct problems by means other\nthan additional monitoring.\nSSA Comment\nSSA does not believe the monitoring of 100 percent of a TSR\xc2\x92s\ntelephone calls violates the minimum sampling requirement of FIRMR.\nIt also does not believe it is practical to expect new TSRs to be\nproficient in responding to calls without extensive monitoring by\nmentors.\nSSA also took exception to the statement that "rude behavior\ncan be easily noticed and addressed by a supervisor walking through\nthe unit and observing TSRs while on the phone." It noted that\nthe elimination of supervisory positions and new systems furniture\nmake visual observation of rude behavior more difficult.\nOIG Response\nThe FIRMR requirement recognized that monitoring should be limited\nand kept to a minimum. We agree that this may present challenges\nto SSA trainers and supervisors. However, the GSA specifically stated\nthat this was not permitted by FIRMR since it is not sampling and\nis targeted at specific individuals. GSA also noted that SSA needs\nto consider the impact on the calling public of having additional\nconversations monitored.\nStatistically Valid Sample\nFIRMR states that the monitoring should be of a statistically valid\nsample of calls. Statistical sampling requires that the sample be\nrepresentative of the population of calls. In order to achieve this,\nthe sample should be selected by a random process. In using a random\nselection process, every item in the population has a known probability\nof being selected. The process will eliminate personal bias or subjective\nconsiderations for the selection of sample items. Judgment sampling\nis not statistical sampling; it is discretionary. For example, selecting\na few calls "at random" is usually included in the category\nof judgment sampling. Only by the use of statistical sampling can\nSSA quantify, with any mathematical reliability, the quality of telephone\nservice provided to the public.\nDuring our audit, we interviewed unit supervisors and technical\nassistants who conduct most of the monitoring in TSCs. As part of\nthe interviews, we inquired about how calls are selected for monitoring.\nWe found that the sample of calls monitored are not statistical (representative)\nand are not selected randomly. Unit supervisors and/or technical\nassistants determine when they will monitor a call, which is usually\nwhen their schedules permit. They usually listen to a few calls in\nsuccession at their discretion and judgment. As a result, the information\ngathered from monitoring does not provide reliable evidence to assess\nthe overall quality of service provided to the public.\nRecommendation:\nWe recommend that SSA:\n5. Use statistical sampling for the monitoring of telephone calls\nas required by FIRMR.\nSSA Comment\nSSA has a proposed revision to its monitoring process which recommends\nthat unit level service observations be conducted at random. SSA\nis also looking into purchasing software to do this for the 800 number\nanswering sites.\nRecording\nInformation of the Calling Public\nFIRMR prohibits those who monitor calls from recording the identity\n(name, Social Security number, or telephone number) of the public\ncallers. Whenever a call is monitored by a supervisor, he/she will\nprovide documented feedback to the TSR. The feedback provides a summary\nof the call and whether it was answered correctly by the TSR.\nAs part of our review, we randomly selected a sample of documented\nfeedback forms for 85 calls that were monitored. The forms were reviewed\nto determine whether identifying information of the calling public\nwas recorded on the feedback forms. Our review showed that, in four\ncases, identifying information of the calling public was improperly\nrecorded on the feedback forms.\nSSA has reminded supervisors that identifying information of the\ncalling public cannot be recorded on the feedback forms. To ensure\nthat this is not overlooked, we believe there should be a notice\non the feedback forms to alert the monitor that identifying information\nof the public callers cannot be recorded.\nRecommendations:\nWe recommend that SSA:\n6. Modify the feedback forms to include a statement that identifying\ninformation of the public callers cannot be recorded.\n7. Periodically review feedback forms to ensure identifying information\nof the public callers is not recorded.\nSSA Comment\nSSA will remind monitors that identifying information of the calling\npublic should not be recorded on feedback forms. SSA\xc2\x92s service\nobservation regulations will also address this issue.\nSSA\xc2\x92s\nAuthority to Monitor Calls Since the Rescission of FIRMR\nAlthough FIRMR has been rescinded, SSA must continue to meet one\nof the required exceptions in 18 U.S.C. sections 2510, et seq., in\norder to continue its service observations. SSA can monitor calls\nonly if the requirements of the consent exception or the business\ntelephone exception are met.\nConsent Exception - This exception permits\ntelephone monitoring at least one party consents to the monitoring.\nWe have discussed the relevant case law and elements of this requirement\nin the section, Consensual Monitoring Under FIRMR. Based on our review,\nwe continue to believe SSA may be subject to legal challenges with\nrespect to whether it has the employees\xc2\x92 or public\xc2\x92s consent\nto monitor their telephone calls. Therefore, we reaffirm our recommendation\nfor SSA to ensure that the legal requirements for consent are met\nin all cases of telephone monitoring.\nBusiness Telephone Exception - This exception permits\ntelephone monitoring in a business setting if: (1) the telephone\nor telephone equipment has been provided by the telephone company\nor by the subscriber for connection to the subscriber\xc2\x92s telephone\nservice; and (2) the use of the telephone or telephone equipment\nmust be used in the ordinary course of business. Consequently, SSA\ncould monitor calls without the consent of either party if it meets\nboth exceptions.\nThe type of listening devices SSA uses has a direct bearing on whether\nthe business telephone exception is met. Our review of the relevant\ncase law indicates that some interception devices are specifically\nprohibited by law. SSA uses several different devices to monitor\ntelephone conversations. However, since SSA\xc2\x92s monitoring program\nhas been based on the consent provisions of FIRMR, we did not determine\nwhether any of these devices are prohibited under the business telephone\nexception. We have concerns that some equipment SSA uses may be prohibited.\nThis concern was also noted in a recent legal opinion by SSA\xc2\x92s\nOffice of the General Counsel (OGC) that suggested some of the monitoring\nequipment SSA uses might not qualify for the business telephone exception.\nIf SSA plans to use the business telephone exception as the legal\nbasis for its monitoring program, it should determine whether any\nof the equipment it uses is prohibited by law. In addition, if SSA\nplans to use the business exception, it will have to modify the applicable\nSSA/AFGE MOUs since they are based on the consent provisions of FIRMR.\nBack to top\nRecommendations:\nWe recommend that SSA:\n8. Determine whether any of the monitoring equipment SSA uses\nis prohibited under the business telephone exception.\n9. Modify the applicable SSA/AFGE MOUs if it plans to use the\nbusiness telephone exception.\nSSA Comment\nSSA responded that the facts of a given case determine whether or\nnot a particular call was permissibly monitored. It will use the\nconsent exception as its primary legal defense to challenges to its\nprogram. It may rely on the business telephone exception as a secondary\ndefense where applicable and necessary.\nSSA also commented that it could find nothing in the current MOUs\nthat implies that its monitoring practices do not fall within the\nbusiness telephone exception, nor could it find anything in the MOUs\nthat state it has agreed to follow the consent provisions of the\nFIRMR. Lastly, the FIRMR did not address or limit SSA\xc2\x92s reliance\non the business telephone exception.\nOIG Response\nThe Commissioner\xc2\x92s authorization for monitoring telephone calls\nat SSA states that it is for the conduct of consensual public\nservice monitoring. It does not authorize monitoring under the business\ntelephone exception. While the MOUs do not specifically state that\nSSA will follow the consent provisions of FIRMR, they are based on\nthe Commissioner\xc2\x92s authorization. Lastly, we strongly disagree\nthat FIRMR did not limit or prevent SSA from using the business telephone\nexception. The FIRMR clearly specified that telephone monitoring\nmust be consensual.\nIf SSA plans to use the business telephone exception as a secondary\ndefense to its program, it can only be done prospectively after the\nCommissioner authorizes it. If the business telephone exception is\nauthorized by the Commissioner, then SSA must still address whether\nthe equipment it uses is permitted under the business telephone exception\nand must still modify the MOUs to allow for it.\nAction Needed by SSA\nWe believe the repeal of FIRMR raises serious concerns for SSA and\nother Federal agencies that monitor telephone calls. It is unclear\nunder what authority agencies are engaging in telephone monitoring.\nFIRMR had very specific requirements which carefully prescribed the\nmanner in which agencies should monitor calls to the public. There\nare also significant criminal or civil penalties when telephone monitoring\nis improperly used.\nGiven these concerns, we believe new regulations are needed. However,\nwe encountered varying opinions as to which Federal agency has the\nauthority to promulgate regulations. We have been advised by GSA\nthat it retains the authority to prescribe regulations on telephone\nmonitoring; however, SSA\xc2\x92s OGC believes SSA has the authority\nto promulgate its own regulations. Regardless of where that authority\nrests, we believe SSA needs to take expeditious action to resolve\nthis issue to ensure its telephone monitoring program is legally\nsupportable.\nRecommendation:\nWe recommend that SSA:\n10. Meet with GSA and OMB to determine SSA\xc2\x92s authority to\nmonitor telephone conversations.\nSSA Comment\nSSA replied that it could find no current GSA or OMB guidance that\nprohibits telephone monitoring. It asserts that the only current\nFederal limitation on telephone monitoring is 18 U.S.C. sections\n2510-2520.\nOIG Response\nWe recommend that SSA confirm with appropriate officials at GSA\nand OMB that it is authorized to promulgate regulations with respect\nto telephone monitoring.\nAgreement to Comply\nwith State Laws\nWe believe that Federal law has preempted the issue of telephone\nmonitoring, therefore, State laws would not affect SSA\xc2\x92s telephone\nmonitoring program. This is because the Supremacy Clause of the U.S.\nConstitution prevents State regulation unless Congress affirmatively\ndeclares that Federal agencies are subject to State laws. We found\nnothing in our review of the Federal law to indicate that Congress\nhas affirmatively declared that a Federal agency would be required\nto submit to State laws for telephone monitoring.\nHowever, the SSA/AFGE MOUs include provisions which SSA and AFGE\nhave agreed to follow. Included in the MOUs is the agreement that\nSSA will be bound by applicable State laws. This is a contract provision\nand may be binding on SSA even though SSA would not otherwise be\ncompelled to obey State laws. We found no indication that SSA has\nidentified the conditions of the applicable State laws it has agreed\nto follow. This could have a significant effect on the manner in\nwhich SSA monitors calls. For example, several States require that\nboth or all parties to a telephone conversation must have knowledge\nand consent to the monitoring. In addition, some States do not recognize\nthe business telephone exception.\nRecommendation:\nWe recommend that SSA:\n11. Identify and review any applicable State laws it has agreed\nto follow and develop policies and procedures to ensure compliance.\nModify any MOUs to reflect SSA\xc2\x92s interpretation with respect\nto the applicability of State laws.\nSSA Comment\nAlthough SSA agreed that the Supremacy Clause of the Constitution\nprevents State regulation unless Congress affirmatively declares\nthat Federal agencies are subject to State laws, it does not believe\nthat the statement in the MOUs requires them to follow applicable\nState laws. SSA\xc2\x92s interpretation of the MOUs is that it obligates\nSSA to comply with State statutes only if Congress acts to make the\nState statutes applicable to SSA.\nOIG Response\nWe agree that the Supremacy Clause ordinarily exempts SSA from State\nregulations. However, the fact that the provision in the MOU is subject\nto interpretation presents a litigation risk that a Court could find\nthat State laws apply to SSA\xc2\x92s telephone monitoring program.\nBack to top\nINTERNAL\nCONTROLS TO ENSURE COMPLIANCE WITH LAWS, REGULATIONS, AND\nSSA\xc2\x92s MOU\nFIRMR required agencies to establish controls to ensure compliance\nwith its regulations. In addition, OMB Circular A-123 requires agencies\nto establish general management controls to ensure compliance with\nthe law and to provide reasonable assurance that assets are safeguarded\nagainst unauthorized use.\nA-123 requires that:\nAccess to resources and records should be limited to authorized\nindividuals and accountability for the custody and use of resources\nshould be assigned and maintained.\nTransactions should be promptly recorded, properly classified,\nand accounted for in order to prepare timely accounts and reliable\nfinancial and other reports. The documentation for transactions,\nmanagement controls, and other significant events must be clear\nand readily available for examination.\nDuring our review, we found that SSA has limited or no controls\nin place to ensure compliance with 18 U.S.C. sections 2510, et seq.,\nor applicable laws and regulations. We identified the following weaknesses\nwith the Service Observation System which SSA uses to monitor telephone\ncalls.\nNo Record\nor Audit Trail of Monitored Calls\nAs part of our audit, we planned to review an historical sample\nof telephone calls that were monitored by SSA personnel. This was\nnecessary so we could determine whether SSA\xc2\x92s monitoring practices\nwere in compliance with FIRMR, SSA policy, and the various AFGE MOUs.\nWe were unable to review any records of monitored calls because SSA\xc2\x92s\nmonitoring software does not produce any type of record or audit\ntrail when calls are monitored. In addition, SSA cannot provide basic\nmanagement information on the number and types of calls that are\nbeing monitored.\nSince there is no historical record of telephone calls that have\nbeen monitored, we could not determine whether:\nunauthorized officials are monitoring telephone calls;\nauthorized or unauthorized officials are illegally monitoring\npersonal calls of employees;\nauthorized or unauthorized officials are monitoring calls in\nexcess of the numbers allowed; or\nauthorized or unauthorized officials are illegally recording\ntelephone conversations while monitoring calls from remote locations\n(employees\xc2\x92 home phones, offices, etc.).\nWe believe the absence of an audit trail for monitored telephone\nconversations does not meet the criteria for recording and documenting\ntransactions as specified by OMB Circular A-123. Given this limitation,\nSSA does not have reasonable assurance that monitoring is always\nbeing used for its authorized purposes.\nAccess\nControls to Monitoring Software Are Minimal\nThe ability to monitor calls should be restricted only to authorized\nindividuals. In an automated system, access is normally restricted\nby the assignment of a personal identification number (PIN) to identify\nusers, passwords to authenticate their identity, and profiles to\nspecify what functions may be performed by a user.\nAs part of our review, we evaluated the controls that restrict access\nto SSA\xc2\x92s monitoring software. We found that the access controls\nwere minimal. In most cases, observers are not required to enter\na PIN or password in order to monitor telephone conversations. Consequently,\nthere is no systematic means to prevent or detect unauthorized users\nfrom monitoring calls. In addition, there are no means to determine\nand authenticate the identity of individuals who use the monitoring\nsoftware.\nWe noted that SSA has some safeguards against unauthorized access\nto monitoring. Access to monitoring calls is restricted since usually\nit can only be done from a supervisor\xc2\x92s or technical assistant\xc2\x92s\ntelephone. However, in our opinion this provides only limited assurance\nagainst unauthorized access to monitoring calls. This limited assurance\nis exacerbated by the following conditions we identified with the\nmonitoring software.\nSoftware\nConfiguration Allows Improper Monitoring\nIn order to ensure that authorized individuals are monitoring calls\nin accordance with FIRMR, SSA policy, and the various AFGE MOUs,\nthere should be some safeguards to ensure persons are acting within\nthe scope of their authority. Based on our review of SSA\xc2\x92s monitoring\nsoftware, we found there were only limited controls to ensure individuals\ndo not exceed the scope of their authority. We identified the following\nweaknesses with the software:\nIt does not restrict observers from listening to calls of employees\noutside their areas of authority or responsibility. For example,\nany of the 46 unit supervisors and 45 technical assistants at the\nBaltimore and Auburn TSCs can listen to calls in their respective\nunits and in all of the other units within the TSC.\nIt allows for unauthorized monitoring of calls that take place\non administrative phones and employees\xc2\x92 personal phone lines.\nFor example, in the Baltimore TSC, the 23 unit supervisors and\n22\xc2\xa0technical assistants can listen to calls on 23 administrative\nphones and on the personal phone lines of 487\xc2\xa0TSRs.\nIt allows for monitoring of calls from administrative and clerical\nphones to which no one is personally assigned, and by individuals\nwho do not have the authority to monitor calls. For example, in\nthe Auburn TSC, there are 39 phones that improperly have monitoring\ncapability. This includes administrative or unit phones, secretarial\nphones, phones in the mail room, and a phone in the local AFGE\nunion office.\nIt allows for monitoring from phones outside of the Agency. Monitoring\ncan be performed from remote locations outside of SSA\xc2\x92s phone\nsystem. Any touch tone telephone can be used (including individuals\xc2\x92 home\nphones) to monitor telephone conversations.\nWe believe the monitoring software should be revised to prevent these\ntypes of improper monitoring. This condition is exacerbated by the\nfact that improper monitoring can be done without any record or audit\ntrail being established. Consequently, there is also no systematic\nmeans to detect instances in which individuals have improperly\nexceeded their authority to monitor telephone conversations.\nRecommendations:\nWe recommend that SSA modify the monitoring software to:\n12. Establish a record and/or audit trail whenever a call is monitored.\nSSA Comment\nSSA will explore this recommendation to determine if it would be\ncost effective and beneficial to the monitoring process and will\nmake a final determination by the end of the calendar year.\n13. Require a PIN/password for access.\nSSA Comment\nSSA will explore this recommendation and make a final determination\nno later than the end of this calendar year.\n14. Prevent observers from listening to calls of employees outside\ntheir areas of authority or responsibility.\nSSA Comment\nSSA will not pursue this recommendation. Because of the limited\nnumber of supervisory positions, they must have the flexibility to\nmonitor calls of employees in other units.\nOIG Response\nSome limits should be established to prevent observers from listening\nto calls of employees for whom they have no supervisory responsibilities.\nIn cases where it is not practical to do so, SSA should use the audit\ntrail as suggested in recommendation 12 to detect and investigate\nmonitoring of this type to ensure it is proper.\n15. Prevent the monitoring of calls on administrative phones,\nas well as employees\xc2\x92 personal phone lines.\nSSA Comment\nSSA agreed with this recommendation and will instruct offices to\nensure that all telephones not subject to monitoring be blocked.\n16. Remove the monitoring capability from all unauthorized administrative\nand clerical phones.\nSSA Comment\nSSA agreed with this recommendation and will instruct offices to\nremove the monitoring capability from all telephones that will not\nbe used for monitoring calls.\n17. Prevent the monitoring of calls from any phone that is outside\nof SSA\xc2\x92s phone system.\nSSA Comment\nSSA will explore the technical feasibility of this recommendation\nand reach a final decision within 90 days.\n18. Use the audit trail to identify and investigate instances\nof improper monitoring.\nSSA Comment\nIf SSA decides to establish an audit trail, it will be used to investigate\ninstances of improper monitoring.\nSSA\nReviews to Assess Compliance with Laws, FIRMR, and MOUs\nOMB Circular A-123 states that agency managers should continuously\nmonitor and improve the effectiveness of management controls associated\nwith their programs. This includes periodic evaluations and reviews\nexpressly for the purpose of assessing management controls.\nDuring our review, we learned that SSA had received congressional\ninquiries in1993 that expressed concerns about SSA\xc2\x92s telephone\nmonitoring practices. As a result of these concerns, SSA\xc2\x92s Deputy\nCommissioner for Operations requested that each Regional Commissioner\nprovide a plan to do periodic reviews of the telephone monitoring\npractices in his/her region to ensure compliance with FIRMR and AFGE\nMOUs. The Deputy Commissioner for Operations noted that, despite\nattempts to correct the problems, some TSC managers continue to violate\nthe regulations and MOUs regarding the proper monitoring of calls.\nIn our review of the Baltimore, Maryland, and Auburn, Washington,\nTSCs, we found that neither office has performed, nor plans to perform,\nany periodic reviews of the monitoring practices in their offices.\nRecommendation:\nWe recommend that SSA:\n19. Conduct periodic reviews of the telephone monitoring program\nto ensure it is in compliance with applicable laws and regulations,\nSSA policy, and SSA/AFGE MOUs. The result of these reviews should\nbe reported to the Commissioner.\nSSA Comment\nSSA agreed that it would be a good practice to periodically review\nthe Agency\xc2\x92s monitoring practices.\nBack to top\nSUMMARY\nAND CONCLUSIONS\nSSA\xc2\x92s monitoring of telephone conversations is a valuable assessment\nmethod. It is likely the most effective method to determine the quality\nof service SSA is providing to the public through its 800 number.\nHowever, this practice must be designed with appropriate safeguards\nbecause of the actual and perceived effect on the privacy rights\nof the employees and the calling public. This practice also exposes\nSSA to criminal or civil penalties imposed by Federal laws when monitoring\nis improperly applied. FIRMR recognized the need to limit the circumstances\nfor which monitoring is permitted and to carefully control telephone\nmonitoring activities to ensure it is not abused. Since FIRMR has\nbeen rescinded, we believe the authority to monitor telephone conversations\nis questionable and there is a compelling need for new regulations.\nWe also believe the conditions noted in this report represent an\nunacceptable risk of noncompliance with the Federal laws and regulations\nand that the telephone monitoring practice is not being used for\nits intended purpose. The corrective actions recommended, if implemented,\nwill improve the legal basis for SSA\xc2\x92 s telephone monitoring\npractices and will minimize the likelihood of improper monitoring.\nBack to top\nAPPENDICES\nAPPENDIX B\nMAJOR CONTRIBUTORS\nOffice of the Inspector General\nJudith Kidwell, Counsel to the Inspector General\nJim Klein, Senior Auditor\nJerry Hockstein, Program Analyst\nPrivacy Policy | Website\nPolicies & Other Important Information\xc2\xa0| Site\nMap\nNeed Larger Text?\nLast reviewed or modified'